Preliminary Privacy Impact Assessment for the Canadian Forces Health Information System Full Capability
Author: Peter Pakeman, PAKEMAN & Associates
Version: 2.0 (Final)
Date: June 1, 2004
Executive Summary
This report is a Preliminary Privacy Impact Assessment (PPIA) on the Canadian Forces Health Information System (CFHIS) Project with a focus on Full Capability (FC). The report builds on the findings and recommendations of the CFHIS Limited Capability (LC) Privacy Impact Assessment (PIA) completed in January 2004.
The report was conducted using Treasury Board guidelines for conducting PIAs, which incorporates the ten principles of the Canadian Standards Association (CSA) Model Code for assessing fair information handling practices.
The major findings and recommendations to mitigate potential privacy risks for CFHIS FC are presented below in a framework that is consistent of the ten principles of fair information handling practices:
Principle 1 - Accountability
A Privacy Officer position has been established, and is currently filled by a contractor. Efforts continue to permanently staff the position.
It is undetermined if CF Health Services Group (CF H Svcs Gp) has formal agreements (e.g., service level agreements) with its third party health care providers to establish Privacy requirements. Once CFHIS business processes are completed and the various actors are identified, an investigation into the existence of such agreements and whether or not they adequately establish Privacy is required.
The recently drafted report, Data Sharing & Privacy: Common Data Holdings and the Master Patient Index v 0.1 (March 9, 2004), recognized that CFHIS may require more data from stakeholder systems (e.g., HRMS). This data may or may not fall into the current definition of common data holdings (CFHIS Master Patient Index, as defined in the report, MPI Update Analysis and Recommendation, February 2004). The report is promulgated for review and comments. It is anticipated that the implementation of recommendations will further enhance Principle 1 - Accountability.
Principle 2 - Identifying Purpose
The recently drafted report, Data Sharing & Privacy: Common Data Holdings and the Master Patient Index v 0.1 (March 9, 2004) makes a number of recommendations to address concerns about Personal Information Bank (PIB). A decision was recently made to have the Privacy Officer initiate the process to implement the following recommendations:
- Revise the current PIB Number PPE 810 for the medical record to reflect both hard copy records (i.e., CF 2034) and all other media (i.e., electronic) and to align it with recently approved MSIs related to Privacy and Information Management/ Records Management.
- Finalize a model for defining purposes and uses of personal health information.
- Prepare a Notice that outlines CF H Svcs Gp's commitment to privacy and statements that describe how an individual's (e.g., CF member's) personal health information will be used and protected.
Principle 3 - Consent
No privacy risks are identified at this time.
Principle 4 - Limiting Collection
In order to assess if data is unnecessarily collected, there needs to be an understanding of what data is being collected and how it will be used. Some of this activity began in Phase 1 in the partial development of a Data Dictionary -this activity continues, in part, by the MISG Project. It is anticipated that there will be a significant gap between the number of data elements being assessed/ mapped by MISG and the number of data elements that CFHIS will capture. It is recommended that efforts continue to prepare a basic data dictionary that defines elementary data items for CFHIS.
Principle 5 - Use, Disclosure, Retention
As previously stated (see Principle 2 - Identifying Purpose) a decision was recently made to implement key recommendation from the drafted report, Data Sharing & Privacy: Common Data Holdings and the Master Patient Index v 0.1 (March 9, 2004).
Use
The CFHIS project is currently documenting business processes, which will assist with identifying information uses. Once completed, the primary and secondary uses of data will be better understood and can be incorporated into the model (see Principle 2 - Identifying Purpose) for defining purposes and uses of personal health information. It is anticipated that the primary purposes of information will be substantially similar to those presently described in PIB Number PPE 810.
Disclosure
As above, the Project is currently documenting business processes. Once completed, an assessment about what information is disclosed to whom and how will be conducted to ensure unauthorized disclosure does not take place.
The disclosure of CFHIS data will be consistent with MSI CF 2000-003 (Disclosure of Personal Information) which is drafted and currently promulgated.
There is a requirement (as per Privacy Act) to log/track personal information disclosures. There is also a CFHIS 62.4.6 requirement to create a record of who accessed what information within the EHR with details of what information was printed or released -this project requirement is not yet defined. The Privacy Officer is currently working on a Decision Request report on auditing, which will contribute to defining CFHIS 62.4.6. The Privacy O, ISSO, IM/RM HQ, and Manager of Health Records are currently responding to the Decision Request.
Retention
The Defense Subject and Classification Disposition System (DSCDS) is a records management system sanctioned by the National Archives of Canada (NA). DND/CF units must use the DSCDS to organize information holdings. The section Medical Plans and Services (Primary # 6610) inaccurately refers to how aspects of health records/ documents are stored, retrieved, used and disposed. There is a requirement to amend DSCDS #6610 ensure it differentiates the authoritative sources governing the management of health records management, as defined by MSI CF 2000-000, and thereby avoiding any further confusion. The Privacy O, IM/RM HQ, and Manager of Health Records are currently drafting the amendments.
Principle 6 - Accuracy
A number of risks concerning the accuracy of health information were previously identified in the PIA (January 2004). Below are a follow-up and an update to those risks.
Data Dictionary
In order to assess data accuracy, it is necessary to define or describe data items CFHIS will collect. It is recommended that the Project develop a basic data dictionary that defines elementary data items (see Principle 4 - Limiting Collection) in order to avoid confusion, misunderstandings, and mitigate project risks.
Notices of Correction
There is a requirement (as per Privacy Act) to provide notices of correction to third parties to whom incorrect information was disclosed within a 2-year period prior to the time of correction. To satisfy this requirement CFHIS will have to know: (a) what information was disclosed; and (b) what information was corrected. It is recommended that Project consider how and if this can be accomplished in CFHIS (see also Principle 5 - Use, Disclosure, Retention). In addition, the Privacy Officer and IM/RM HQ will draft an amendment for MSI CF 2000-003 (Disclosure of Personal Information) to address this Privacy requirement.
Merge/ Combine Functionality
The risk of creating duplicate records is real, and a means to merge or combine records is essential. In order to design an appropriate solution, an understanding and an agreement on the patient encounter structure is required. Aspects of the required functionality are developed, and efforts towards resolving outstanding issues continue.
Master Patient Index (MPI)
Stakeholders continue to voice their concerns about the quality (incl. timeliness) of HRMS data that 'feeds' CFHIS. Currently, Pilot Site users report no problems; however, it is recommended the Project continue receiving feedback from CFHIS users as it is rolled out across the country and to take corrective measures, if and as required.
Unique identification numbers used by CFHIS can take three forms: (a) Service Numbers; (b) CFHIS-generated numbers; and (c) manually entered numbers. There is a risk of creating more than one ID number (or record) for the same individual, because manually entered numbers are not validated/ verified. It is recommended the Project ensure duplicates do not exist.
Capture of visits to external health care providers
Recognizing that Phase II processes will continue to rely on the paper-based CF 2034, the recording of members' visits to external health care providers within CFHIS could provide:
- A visual reminder to clinicians to request the CF 2034 and to become knowledgeable about the nature of the visit, diagnosis, treatment, and outcome.
- A reminder (or electronic trigger) to alert health records to expect to receive copies of treatment records from external providers.
- A reminder (or electronic trigger) to alert claims administrators to expect to receive claims.
- Quality Control reports to ensure expected and outstanding items (e.g., copies of treatment records) are followed-up and actioned.
This event is analogous to the orders and results, whereby there is an expectation to receive a result (in this case a copy of treatment records, or a claim) when an order is placed (in this case the 'posting' of a visit/ encounter to external provider). It is recommended the Project consider the capture of visits by members to external health care providers which would provide a complete and accurate profile of a member's visit history-the visit could also provide the basis upon which third party information imported from external providers can be linked within CFHIS.
Principle 7 - Safeguards
The goal of the security design for CFHIS is to protect the information contained in the system in storage or in transit from unauthorized access. CFHIS FC is designed and developed to maintain and manage Protected B information.
Several of the CFHIS security risks identified in the PIA (January 2004) were related to recommendations made in a previous Threat Risk Assessment (TRA) completed in March 2001. These items are detailed in the Privacy Analysis Section of this report. The summary items listed below are requirements are a work-in-progress and must be completed for Phase 2 as mandatory activities for transferring operations to Borden (DESC):
- The establishment of a CFHIS IT Security Program-this is a work in progress.
- The establishment of a formal IT Media Security Program-this is a work in progress.
One key concern identified in the PIA (January 2004) was the absence of a robust, flexible and user-friendly Access Control Model. The model for CFHIS-LC is currently drafted; the roles are defined.; and there are plans to pilot it, and modify it as required for use in CFHIS-FC. The privacy risks associated with the model is not intrinsic to the model itself, but with the establishment and assignment of roles. That is, if the roles are incorrectly established or assigned, then there are risks that users could access more information that is necessary for them to perform their jobs. Although there are no standards, the creation of an audit strategy and program can provide additional information to balance security requirements and confidentiality to ensure information is available to individuals (e.g., users, stakeholders) on a need-to-know basis. The Privacy O, IM/RM HQ, and Manager of Health Records are currently preparing a response to the Decision Request for audits.
Principle 8 - Openness
As previously indicated, efforts to fill the Privacy Officer position continue. Once employed, there is a requirement to publish contact information about the Privacy O and details about the Privacy Program. In the interim, a consultant has been contracted to initiate the development of a Privacy Program for CF H Svcs Gp.
Principle 9 - Individual Access
Individual access by CF members to their personal information is consistent with DAOD 1002-2 (Informal Access to Personal Information) and MSI CF 2000-002 (Access Control of Personal Health Information).
The development of detailed business processes is a work-in-progress. One such process will involve providing authorized requestors with information. CFHIS has a requirement to provide such information as a printed record/ document(s)-this requirement is a system acceptance criterion for Phase 2.
There is also a Privacy requirement to provide members access to their personal health information in an alternate media format, if requested. Currently, there are no plans to provide information in a format other than paper. It is recommended that other alternative media formats (e.g., electronic) such as CD be considered.
Principle 10 - Challenging Compliance
CF members can make complaints to their Clinic Manager or Base/Wing Surgeon concerning information contained in the medical record. If members are not provided with access to requested information or are not satisfied with the outcome of their request, they can formally file a CF grievance or file a complaint with the federal Privacy Commissioner. This process needs to be changed to recognize the role of the Privacy O, and communicated across CF H Svcs Gp. This is a Privacy O responsibility, which will be incorporated in the Privacy Program.
A tool to log and track privacy requests/ complaints to ensure they are responded to within the time limits permitted by law does not exist. There is a requirement to determine how requests/ complaints by CF members and others across CF H Svcs Gp will be logged and tracked. This requirement is a Privacy O responsibility, which is currently being addressed.
Page details
- Date modified: